Underfunding IT security programs

A news story in my local newspaper caught my eye today. State fails “hacker” test was the headline. The state of Colorado (U.S.) hired an outside security assessment firm to perform penetration tests across various state agency IT infrastructure.

The findings from the assessment firm were sadly predictable. The pen testers were able to find their way into many state networks and IT systems, and they found many instances of common security problems, including easily guessable logins and passwords, system default passwords that were never changed, and systems that were never hardened and had unnecessary ports open and services running. The assessment firm was able to access lots of private data and personally identifiable information. The story also had predictable comments from lawmakers expressing indignation at the sorry state of security for Colorado’s IT systems.

The real story, however, was buried in the article. The state agency in Colorado that was tasked with securing state IT systems estimated that the cost of implementing an adequate cybersecurity plan across all state IT systems would be $40M… and the office had a budget of $400K! Is it any wonder they failed their security audit? For every $100 that they need to perform the job adequately, the IT security professionals are getting a whopping $1 to implement their security plans and controls.

With the present economic climate, I’d guess most governmental entities (and probably a lot of businesses as well) are in a similar situation: They don’t have the tax revenues to adequately fund IT security, and therefore can’t effectively protect access to information.

The “reality disconnect” here is that in the U.S., at least 45 of the 50 states have passed something similar to the groundbreaking California data privacy law, SB1386. It calls to mind that old hypocritical saying from parents to children, “Do as we say, not as we do”.

I talk with and work with many security professionals, and I rarely hear one say that things are getting better on the threat side of information security. Underfunding IT security programs is a recipe for disaster.

Situations like this also point towards the need for better alignment of security controls with business objectives, and increased use of metrics in information security. The Open Group’s Security Forum is working on initiatives in this area… Watch this space for announcements of standards that security practitioners will find useful in driving more effective information security management.

An IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.